Wednesday, January 09, 2008

The fine line between security and usability

If you are moving beyond basic web site development and into the realm of corporate or business sites, you will find that there can be a fine line between security and usability.

With all of the scares of viruses, questionable attachments, surfing and picking up Trojans, people are a lot more wary about visiting web sites. Now add in the whole issue of data loss and users are now afraid to leave their details anywhere that could be compromised.

One solution is a VPN, or virtual private network, a solution that I'll cover in more detail next week. Other solutions include firewalls, logon or member systems, security at the database and server ends, encryption of both data and the connections, and so on.

A long time ago we looked at HTTPS, the system developed by Netscape before it was steamrolled by Microsoft. As a reminder, this process provides a secured connection between the user and the server that adds an additional encryption/authentication layer between the HTTP and TCP on a different port (443). Essentially this means that it works the same as HTTP to protect your data transfer from eavesdropping.

If you have ever seen a Windows panel pop up informing you that the certificate from the site you are accessing has not been validated, then this is an indication that a secure connection is supported. Certificates are part of the public-key encryption aspect of a secure connection.

Certificates can be issued by you as the site owner or issued through a recognised issuing authority. You get the message if the former case is true. The irony here is that just because the issuing authority is authorised does not guarantee that the site you are visiting is safe.

The level of protection is also limited because it depends on the correctness of the implementation by the web browser and the server software, and the actual cryptographic algorithms supported. The general rule is the lower the encryption the easier it is to crack.

In addition, HTTPS only protects data in transit from eavesdropping and "man in the middle" attacks. Once the data arrives at the destination then it is only as safe as the computer it is on. To quote Gene Spafford, this is like "using an armoured truck to transport rolls of pennies between someone on a park bench and someone doing business from a cardboard box."

To play with this technology you will need to read up on SSL (secure sockets layer) technology, which you can get for free as OpenSSL as well as the certificate issuing software.

While you can start working on making your site more secure for your users, sometimes the issue can be outside of your control. Consider the case of the inclusion by Microsoft of the Macrovision DD in a Windows XP and 2003 update. The result was a lot of people were confused as to why they suddenly had to install core system components for their new game. The patch was actually aimed at a company that did not want such game software on their machines, as a security measure from Microsoft. The result was yet another patch to keep their non-business users happy.

The issue here is: Does your addition of a security feature make the system harder to use by your customers or visitors? Sometimes a company like Microsoft will just list a filetype as unsafe (see KB article 925330). If you look at the list, however, it includes .exe, cmd, bat, .vbs, .js, .mdb, .doc and .xls. That is a lot of file types that can be considered exploitable. If you are going to filter these out for your customers, it does not leave you with a whole lot to exchange with them. Microsoft's recommendation is "Customers must verify that a file was not sent by a virus that is running on the sender's computer."

The issue then becomes one of common sense. In some cases Microsoft will not even issue a fix for a known exploitation, such as some found with the Access Jet engines. If you are thinking about improving security you will need to be careful not to scare your visitors away. We will look at some of these issues in follow-up articles.